Configuring Central Web Authentication - Wireless

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
right now my box is working with what wired CWA what I want to do is do the same thing but in a wireless network and actually to be honest with you it's more used in a wireless network because most the guests coming in are not going to plug their laptops into the socket they're going to do it based on while especially in today's day and age so how do i do CWA for wireless first thing I will do is disable this good they'll do this later on enabling of that what do I need to do to set it up I've already set up my WLC remember let's just log into it it's just basic configuration the one that you do from the CLI make sure my AP is registered other than that it doesn't have anything let's set the relationship between the WLC and the ice security authentication you oh sorry accounting I was supposed to be danda we're now normal stuff that I need to do what you would normally do what is that created interface under controller let's do two one for VLAN 20 and say four to backup three you guys know how to do this right next wireless lans create a new one let's say CW it enable it this remains the same this remains the same security not Matt why map remember over there what did I do why did map and continue over here I'm going to do wireless map continuing their theater libras is triple-a server same thing that we did you guys remember this there should be second nature by now if you've done the labs advanced but everything fine you guys okay what I did what did i do over here enable it security layer to none with Mac filtering layer three as is Drupal eight normal stuff enable it enable the authentication accounting server override enabled change it to radius for authentication good advanced enable to the Triple A override jail the next eight to radius cap apply it so I have that ready good clear now do you guys remember I created that reader ratio on the switch so any traffic that comes in gets redirected on the wireless the main difference is you don't have a reader a shield the preauth and the reader do the same job the preauth and reader do the same job so whatever you specify is how whatever you don't specify is redirected but what you need to do is create that ACL we're on the WLC you need to create that ACL we're on the WLC you need to use the name you need to push down the name from where ice where security access control list access control list enable counters because I want to see the headcount I'll show either ill Council three formula called CWA three remember this name actually I'll just copy it because this is exactly the name that I need to specify a nice apply now the entries in there this is where you need to be real careful the entries are for both way traffic in and out it doesn't create return entries remember the entries that I have DHCP DNS access to ice I'll start with ice first add rule 1 permit source any destination any source any destination any protocol IP any host dis social now this is what I wanted to tell you your honor not only that to eat all other returned traffic as well so this ACL will also contain one take a look at the two entries permit anybody to 192 168 135 and 135 you need to do both entries similarly source any destination any protocol UDP source port value later destination s document server or client all right permit add another one danai at the end any-any UDP source client take a look prior to the destination client in the source and I am good keep on going slides you DB server in the source port ah and now server in the server server client client in both places that last tool is your penis seven source source any UDP will do destination as DNS that's good date just remember they're nine entries a gene to have the last one denying this becomes your what reel off easiest and your redirection easier whatever is not allowed is really I create this over here not only that I can also create over here of CWA sales but it usernames passwords all the type of stuff everything is pushed down from thee while Devon but this is not over here you don't have a choice member even this is CWI's because everything is controlled from the accounts are created you don't have any accounts created over here yeah it's similar similar to that but there's a little bit more over here done with this because it's centralized based on those portal configurations whereas there you don't do any of that it's just a normal user name/password so boast off put something in let's say source any destination protocol let's say I want to deny TCP telnet deny that for Medini did I tell them permit the rest this is what my post all first thing that I want to do is I want to get my pre-op how do I do it now the ice board should have done the wlz what do i do on the ice portion the first thing go to your authentication duplicate above or below doesn't matter make sure all those should be there because I copied it but make sure that that you have the user not found not create a different group or you can use the same group it doesn't really matter I can use the same group if I want to I can create a different group for the what you call it the the admin created remember this I had the advocate wired I can do a cells let's do it happen created wireless and they're not don't put any users in there they will be created later on you just need to create it over here what I also do for wireless because I want to put the wireless users in a different one I'll played a different portal for virus okay how do I do that settings guests multiple proto portals add custom Wireless actually this one the policy is the same for both it doesn't matter because for itself created there is only one you can put it self created so I cannot do - yeah so I can you all use the same one so I'm done with that so that this or known for portal for the self creator the single one for the self created there is only one so this is done I don't need to do anything over you actually only if I wanted to do it for different wireless groups they have been created otherwise it's the same the next thing I'll go and go into my results over here I'll specify my authorization profiles I don't need to create any a scales over you all over there at CWA preauth Wireless no tackle no taco no not even airspace and put it on 100 initially web authentication centralized a CA CWA free off the name of that preauth ace here you get my point this ACL will act as a reader ace here as well as the Rio these--all so you don't have a data load change this too faster create another one zwa Wireless post off again no tackle VLAN let's say 30 who's that there's space ACL what did I call it so if the user is successful push the name down so I prayed in mind - one preauth and one host on let's go back to our authorizations will do this as duplicate above CWA preauth - if this is what wireless map then use you guys okay with this one these two for right now this one this one I'll disable the wired I'm gonna disable which one self-created instead I'm going to do CWA self-created wireless group which one selfie I think it's still self-created wired because it I didn't change it portal is still wired right authorization we'll start wireless let's take a look what does it say if it's self-created wireless this user put this post on what does this CW wireless post ought to download that a CF denying tell and permitting the vessel good good what you need to do then is you need to segregate it based on not just the group the the way is authenticated you can do it like that we'll do it next that's that's an option I didn't do it on the other one so you would have trade because I didn't do it then I would need to change that and this one so that's why it's easier to just disable done how do I test it we're ready for testing so let's go over here this is disabled and enabled did we create the SSID Avedon CW is what I would like all right manage and authentication start automatically next it's connecting to see the pit that let's take a look under dot 117 actually let me you'll put a different one up for this one riad has locked it cell service Gerry dongji coppy comes back and should be so what's the difference between wireless and wired the ACL there's I don't have to ACLs I have one ACL that access my beyond and the reader and is created where on the wlz Porsche that's general even when we were doing normal when we're doing ACL with WLC and ice I never created my ACL on the I ca was always fated on the nobody else even when we did the normal VLAN and ACL even with a row 2.1 x authentication that's general with wireless you never create an ACL we're on the ice it's always created on the simple enough other than that on the the actual CW part there is no change no change in the sense of concept series there is no change yes I played at different groups because I was doing different type of things but the concepts are saying if you think about I didn't change anything in the portal at all the portal was exactly the same the only things I change was what authorizations and authentication which I needed to because there was a different type of Education is right now the I disabled it because my policy was different see what I I would have to create two different see the only thing that I would need to do over here remember over here I what did i do i said just self-created wired i would not you say in self great viola to say self created because you can only specify one group but then what i would do is i would have the condition over here as an n would say for wireless if it's wireless map and blue CW a wireless self created and wireless map and then I would duplicate it self-created so great a same food but the difference would be now they can use the same no day I would I can use a different one again use the same one if I want to but generally if you want you have the ability to specify to everyone so you know good preauth wired where is that and color same group but if it's a wireless user give them this profile if it's a wired user given this profile so I'm doing it and process this custom profile is stable it will be one meaning this custom profiles yeah custom is the same as TV one now it will I mean now provider by distinguishing about based on the type of snap exam what happened happened because I cannot do it over there because I can only specify one group for self created self created again he is not something that's very commonly used why not that's giving them giving the user that's coming in full access he can come and create his own account I did it over here because I was lazy not to copy and paste and have errors in those Astrix and the numbers but generally you would do what you do happen to be yeah my point that is CWA
Info
Channel: Khawar Butt
Views: 26,584
Rating: 4.6190476 out of 5
Keywords: Cisco ISE, CWA, CWA - Wireless, Authentication (Website Category), Wireless (Industry)
Id: ecISFhhJaFI
Channel Id: undefined
Length: 27min 2sec (1622 seconds)
Published: Sun Aug 31 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.